Data Encryption

Encryption explained

Encryption protects information by making it unreadable to those without the passphrase or digital key to decode or unlock it. While the process of encrypting information is nothing new, encryption technologies are a hot topic in IT — with good reason. The information below describes the various types of encryption used regularly by IT professionals.

From Wikipedia: Encryption is the process of transforming information (referred to as plaintext) using an algorithm (called a cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.

At rest vs. in transit

Data can be encrypted two ways: at rest and in transit.

Please note: employing these two types of encryption safeguards must occur in tandem; it's not automatic. Data encrypted at rest does not guarantee it remains encrypted as it traverses a network. Conversely, data encrypted "over the wire" does not offer any safeguard that the content remains encrypted after it has reached its destination.

At rest

Refers to data storage — either in a database, on a disk, or on some other form of media.

Note: Indiana law recognizes the value of disk encryption — such that a lost/stolen laptop or storage media is not considered a breach if that media was encrypted (and the encryption key was not available with the device).

In transit

Refers to data that is encrypted as it traverses a network — including via web applications, smart phone apps, chats, etc. In-transit basically refers to the point at which the data leaves the storage drive or database until it's re-saved or delivered to its destination. Protecting information in transit essentially ensures protection from others attempting to snoop or eavesdrop on information as it traverses the network.

Symmetric vs. asymmetric key algorithms

Symmetric key algorithms use related, often identical keys to both encrypt and then decrypt information. In practice, this is known mostly as a shared secret between two or more parties.

Asymmetric key algorithms, however, use different keys to encrypt and decrypt information; one key encrypts (or locks) while the other decrypts (or unlocks). In practice, this is known mostly as a public/private key; the public key can be shared openly, the private key should not. In most cryptographic systems, it is extremely difficult to determine the private key values based on the public key.

How asymmetric key algorithms work

Using public/private keys, the lock/unlock algorithm can go two ways. Alice can encrypt a message with Bob's public key, and then send it to Bob. Only the holder of Bob's private key should be able to decrypt and read the message. Conversely, Alice could encrypt a message with her own private key — and while anyone else in the world could read the message, they could use Alice's public key to verify the message must have come from Alice.

Common technologies that rely on public key cryptography include TLS/SSL and PGP.